A significant problem facing the Internet community is that on-line businesses and organizations are vulnerable to malicious attacks. Recently, attacks have been committed using a wide arsenal of attack techniques and tools targeting both the information maintained by the online businesses and their IT infrastructure. For example, recently identified attacks have been committed using a combination of attack techniques at the network and application levels. Attackers use different tools to execute different attack techniques. Each such attack tool is designed to exploit weaknesses identified in one of the target's defense layers.
An example for such an attack tool is a Web robot, also known as a botnet or bot (which will be referred to hereinafter as a “bot”). A bot is a software application programmed to execute automated tasks over the Internet. Typically, bots are programmed to perform tasks that are simple and structurally repetitive at a higher rate of speed than a human end user. Commonly, malicious users often use a bot as a means to execute denial-of-service (DoS) attacks, HTTP or HTTPS flood attacks, click frauds, and to spam large amounts of content over the Internet.
Anti-bot techniques typically attempt to verify that a transaction is initiated by a legitimate client application (e.g., web browser) and is under control of a user. Examples for such techniques are a SYN cookie, a web redirect (e.g., 302 HTTP redirect message), a JavaScript challenge, a CAPTCHA, and the like.
In a CAPTCHA action, an image is sent to the user device. The image includes alphanumeric characters that are difficult to recognize by an OCR program, but are visible to a human. The user is prompted to enter the characters displayed in the image. The user is verified if the characters entered by the user correspond to the characters in the image.
The JavaScript challenge requires the client (web browser) to include a JavaScript engine (or to enable execution of a JavaScript) in order to view the web page or to perform any action in a webpage. Other JavaScript redirect challenges invite the browser on the client device to respond to such a message by a request for a new URL specified in the redirected message, or to wait for an input from the user.
SYN cookie authentication techniques validate the IP address of the client issuing the transaction. However, such techniques can be easily bypassed by an attack tool (or an application) that owns a real IP address (not a spoofed address).
The CAPTCHA action has been determined to be more effective than the other actions in confirming that a transaction is issued by a human and not by malware. However, at the same time, this technique negatively affects the user experience while accessing the web services. The redirect challenges, on the other hand, provide a “seamless experience” for a legitimate user. Thus, such an authentication technique is typically implemented at least as a first measure for blocking illegitimate users.
FIG. 1 illustrates a schematic diagram of a network system 100 utilized to illustrate execution of script redirect challenges. In the system 100, a client 110 communicates with a server 120 over a network 130. The server 120 is the entity to be protected from malicious threats. The client 110 and the server 120 communicate using communication protocols, such as a hypertext transfer protocol (HTTP), HTTP Secure (HTTPS), and the like. The client 110 is a legitimate client that executes a web browser 115 with a JavaScript engine enabled. An attack tool 140 is also communicatively connected to the network 130. The attack tool 140 executes malicious attacks against the server 120. The attack tool 140 may be, for example, a bot machine.
In a typical in-line deployment such as that illustrated in FIG. 1, a security system 150 is connected in-line with the server 120. The security system 150 intercepts requests (HTTP/HTTPS requests) generated by the client 110 and/or attack tool 140. The requests are directed to the server 120 upon being authenticated.
To authenticate requests directed to the protected server 120, the security system 150 generates an authentication challenge that is difficult for the attack tool 140 to pass, but is not difficult for a legitimate client such as, e.g., client 110, running a web browser. Examples for an authentication challenge may be a JavaScript challenge, an HTML5 challenge, and the like.
To this end, the security system 150 intercepts a request directed to the server 120 and returns a response with a piece of JavaScript code. The client 110 or an attack tool 140 receiving the request should include a web browser that can parse and run the JavaScript code embedded in the response. Execution of the JavaScript code on the web browser causes either redirection to a different URL or the user to perform an action (such as providing an input, moving the mouse, and so on). If the client is authenticated, the security system 150 may establish or re-use a pre-established connection with the client to allow direct communication with the protected server 120.
Security threats have become more complex and attackers are now more sophisticated. For example, JavaScript redirect challenges can be bypassed using a parser and without any JavaScript engine operable in the attack tool. A simple parser is sufficient to bypass the challenge as the JavaScript are static with constant information that should be revealed. Another bypass solution is the utilization of “headless browsers.” In addition, attackers more often use dynamically changing IP addresses or hide behind proxy servers such as content distribution networks (CDNs).
Therefore, in order to allow efficient mitigation of security attacks, and in particular application-layer attacks, security systems should quickly adapt to new threats. Further, such solutions may need to be able to generate complex challenges that are difficult to bypass by evolving threats. Moreover, the security systems should efficiently mitigate and block attacks during both attack active and attack inactive times, also known as “peace” and “war” times, respectively. That is, attacks should be mitigated and blocked both when the volume of attacks is relatively high (“war” times) and when the volume of attacks is relatively low (“peace” times). In particular, current solutions can scale up to mitigate high volume attacks.
Although existing security systems can mitigate large scale attacks, such mitigation would require maximizing the utilization of computing resources of such systems. Therefore, a straightforward approach of increasing the number of systems is a costly solution, and, moreover, such a vast number of security systems may not be needed during attack inactive times. Furthermore, the conventional security systems cannot be updated to handle new threats on-the-fly, as typical updates require re-configuration of the system and network connections.
Therefore, it would be advantageous to provide an efficient security solution that would overcome the deficiencies noted above.